setting up a vpn between a 2611 and vpn client software

[xyyz]

here's the scenario.

i'm looking to setup a vpn tunnel between my 2611 to access my internal network while i'm away overseas.

i've been looking far and wide for anything on the net about doing exactly this. cisco router to a system using cisco's vpn client software over the internet.

i came across this:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml

the problem is this, the example they use, and this was also covered in another thread here, has the router's WAN interface as static. in my case, since i use a cable modem, the address is assigned through DHCP. while i generally have the same IP often, i do get a different address more frequently than expected.

if you want to know what i'm talking about, look at the following:

!--- Specify the PreShared key for the LAN-to-LAN tunnel.
!--- Make sure that you use
!--- no-xauth parameter with your ISAKMP key.

crypto isakmp key cisco123 address 172.18.124.199 no-xauth
!

here a static address is assigned. there is no option to put anything other than a static address.

anyone know how i can do this?

 

[routerman]

You can use 0.0.0.0 in the statement to specify any remote IP address. But this example id for a LAN to LAN tunnel(router to router) not for a VPN client to connect.

Are you planning to use a VPN client on your laptop when abroad?

 

[xyyz]

yeps, that's exactly what i plan on doing.

do you have anything for me that caters to my exact needs?

 

[routerman]

Have a look at this, I've cut it out from a working router.
The bits in CAPITALS need your input. This example allows a VPN client to connect in, the client and router need to share the secure key. Also, when the client connects the user is prompted for a username ans password, this is checked against the relevant entry in the router.

ACL 120 needs to be tuned to your requirements, initially start with it off, which allows anyone access, then lock it down to fit your needs.

username USER1 password PASSWORD

aaa new-model
!
!
aaa authorization network VPN-group local
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
!
crypto isakmp client configuration group CUSTOMER-VPN
key <A-SECURE-KEY>
wins 172.16.0.114
domain CUSTOEMR.co.uk
pool ippool
!
!

crypto ipsec transform-set CUSTOMER-VPN esp-3des esp-sha-hmac
!
crypto dynamic-map CUSTOMER-CRYPTO-MAP 10
set transform-set CUSTOMER-VPN
!
!
crypto map CUSTOMER-CRYPTO-MAP isakmp authorization list VPN-group
crypto map CUSTOMER-CRYPTO-MAP client configuration address respond

crypto map CUSTOMER-CRYPTO-MAP 20 ipsec-isakmp dynamic CUSTOMER-VPN
!
interface Ethernet0
description outside interface
ip address N.N.N.N 255.255.255.0
ip access-group 120 in
no ip proxy-arp
ip mtu 1440
ip tcp adjust-mss 1400
no ip mroute-cache
half-duplex
no cdp enable
crypto map CUSTOMER-CRYPTO-MAP
!
access-list 120 permit esp any host N.N.N.N
access-list 120 permit udp any host N.N.N.N eq isakmp
access-list 120 permit ip IP-POOL-RANGE 0.0.255.255 INTERNAL-LAN 0.0.0.255

ip local pool ippool STRART-IP END-IP